Hello Splunk Community,
Business requirements pushing my knowledge on Splunk so far... just wondering if Splunk query can be subdivided into methods/functions? The current scenario I'm trying to figure out is depending on a search result which can have multiple fields... the 3rd search/subsearch field would vary.
*Pseudo Logic goes:*
if precheck field outputs A
do
search A1 cond, B1 cond, C1 cond
else
if precheck field outputs B
do
search B1 cond, D1 cond, E1 cond
I'm already doing join to arrive at the precheck output
tried this
...| eval search1 = "Field1=Y AND Field 2="xxxx" AND Field 3="bbbbb""
| eval search2 = "Field4=N AND Field5="zzzz""
| eval filter=if (COND=1, search1, search2)
| search filter
but getting some error: **"Error in eval command, Fields cannot be assigned a boolean result, Instead, try if(bool expr, expr, expr)"**
↧